If you have not deployed an ISE server, you can instead enable an ISE pxGrid integration demo. This demo populates endpoints detected in anomalies with sample user identity information. You update demo pxGrid properties, and update the controller's configuration. See ISE pxGrid Demo for more information.

ISE pxGrid Demo

The ISE pxGrid integration demo populates anomaly endpoints with sample user identity information, and provides an example of the additional context ISE provides to the Learning Network License system. As you review anomalies in the controller web UI, you can view the sample user identity information for hosts involved in the anomaly.

To enable the demo, you update a pxGrid properties file with demo settings, then update a controller configuration file to enable ISE integration. Finally, you restart controller processes.

Controller pxGrid Client Certificates

The controller contains a pxGrid client which retrieves user information from the ISE server. To integrate Learning Network License with ISE, you first generate a private key and public key certificate signing request (CSR), then have a certificate authority (CA) sign the certificate, using a custom pxGrid certificate template. You then export an ISE identity certificate from the ISE server to the controller. Finally, you create a pxGrid client identity keystore and a Learning Network Licensecontroller trusted keystore, and import the appropriate certificates into each.

When you submit the CSR to the CA, the CA must
use a custom pxGrid certificate template to sign the certificate. Create this
certificate template with an enhanced key usage (EKU) object identifier (OID) for client
authentication (1.3.6.1.5.5.7.3.2) and for server authentication (1.3.6.1.5.5.7.3.1).

If you want to specify
the certificate subject distinguished name (DN), provide the information. If you
want to specify a challenge password, enter a challenge-password. Determine what information your CA requires
for a CSR.

Step 5

Submit pxGridClient.csr and the certificate template to a CA.

Submit the certificate signing request to the CA. The CA signs the request,
and uses the certificate template to add the EKU OIDs for client
authentication and server authentication.

Step 6

Receive the signed certificate and the CA
root certificate.

Receive the pxGridClient.cer signed certificate file and the
ca_root.cer CA root certificate file from the CA.

Step 7

Upload pxGridClient.cer and ca_root.cer to the controller, in the SCA/services/pxgrid folder.

Upload the signed certificate and root CA certificate to the pxgrid folder on the controller VM.

pxGrid Properties Configuration

After you add certificates to keystores on the
controller, configure the pxGrid properties file to allow the controller to trust the certificates, and log into the ISE server to
retrieve user identity information.

Update PXGRID_HOSTNAMES with the ISE server IP address. Update PXGRID_USERNAME with a username the controller uses to log into the ISE server. Update PXGRID_KEYSTORE_FILENAME with the keystore location. Update PXGRID_KEYSTORE_PASSWORD with the pxgrid-keystore-password. Update PXGRID_TRUSTSTORE_FILENAME with the keystore location. Update PXGRID_TRUSTSTORE_PASSWORD with the pxgrid-truststore-password.

Step 4

Press Esc, then enter :wq! and press Enter.

Save your changes and exit vi.

pxGrid Activation

After you configure the pxGrid properties, update the controller configuration file to enable pxGrid integration, then restart the controller processes.